Forefront TMG works at various communication layers to protect the corporate network. At the packet layer, Forefront TMG implements packet filtering. Data then passes to the Microsoft Firewall service and, when necessary, to the Web proxy, where Forefront TMG rules are processed to determine if the request should be serviced.
The following figure shows in detail the architecture of the Forefront TMG array.
By default, a Forefront TMG array includes only one Forefront TMG server, and joining additional Forefront TMG servers to an array is supported only in Forefront TMG Enterprise Edition. The following explanation focuses on the architecture of a single Forefront TMG server. The server includes these components:
- The firewall, consisting of the Microsoft Firewall service, the Forefront TMG Web proxy, and application filters:
- IP packet filter.
- SecureNAT driver. A function of Forefront TMG that performs network address translation (NAT) in place of the Windows NAT mechanism. For more information, see Secure Network Address Translation.
- Web proxy. Includes Web filters and the cache.
- Firewall service. Handles connect requests sent by Forefront TMG Client and Firewall Client computers and by SecureNAT clients. HTTP requests are diverted to the Web proxy.
- Application filters. Third-party filters can be developed to extend the Firewall service by using the application filter interfaces.
As shown in the diagram, Forefront TMG protects three types of clients:
- Forefront TMG Client and Firewall Client computers are computers that have the Firewall Client software installed and enabled. Forefront TMG Client and Firewall Client computers intercept requests that are sent from Windows Sockets (Winsock) applications running on them to other computers and decide whether to route the them to the Forefront TMG server or to send them directly to destinations that are considered local. Requests from Forefront TMG Client and Firewall Client computers that are accepted by a Forefront TMG server are directed to the Firewall service to determine whether access is allowed. Subsequently, the requests can be filtered by application filters and other add-ins. If a Forefront TMG Client or Firewall Client computer requests an HTTP object, the Firewall service redirects the request to the Web proxy. The Web proxy may also cache the requested object, or serve the object from the Forefront TMG cache. For more information about Forefront TMG Client and Firewall Client computers, see Forefront TMG Client Computers.
- SecureNAT clients are computers that send requests to the Forefront TMG server, but do not have Forefront TMG Client or Firewall Client installed. Requests from SecureNAT clients are directed first to the NAT driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service, to determine whether access is allowed. Finally, the request can be filtered by application filters and other add-ins. If the SecureNAT client requests an HTTP object, the Firewall service redirects the request to the Web proxy. The Web proxy may also cache the requested object, or serve the object from the Forefront TMG cache. For more information about SecureNAT clients, see SecureNAT Clients.
- Web proxy clients are any browser applications compatible with the standards of Conseil Europeen pour la Recherche Nucleaire (CERN). Forefront TMG redirects Web requests from clients to the Web proxy on the Forefront TMG server to determine whether access is allowed. The Web proxy can also cache the requested object or serve the object from the Forefront TMG cache.
Note Forefront TMG Client and Firewall Client computers, as well as SecureNAT clients, can also be Web proxy clients. If the Web application on the computer is configured explicitly to use the Forefront TMG, then all Web requests (HTTP, HTTPS, and FTP download requests) are sent directly to the Web proxy. Also, requests generated by applications that do not use Winsock APIs on Forefront TMG Client and Firewall Client computers are processed as requests from a SecureNAT client if their default gateway is configured so that traffic is sent by way of the Forefront TMG server either directly or indirectly, through a router.
Build date: 7/12/2010